Malware, Network Security, Vulnerability Management

Pwn2Own competition flushes out five Apple bugs, four Microsoft flaws

Independent researchers collected $267,000 in bug purchases this week at the annual Pwn2Own contest at CanSecWest in Vancouver, after demonstrating vulnerability exploits in Apple (5 bugs), Microsoft (4), Oracle (2), and Mozilla software (1).

Richard Zhu, aka “fluorescence,” emerged as the Master of Pwn, winning the annual content with a total of 12 points. According to an event recap from Trend Micro's Zero Day Initiative, the organizers of Pwn2Own, Zhu successfully leveraged two use-after-free vulnerabilities in the Microsoft Edge browser and an integer overflow in the kernel in order to run code with elevated privileges. Later, he exploited an out-of-bounds write flaw in the Mozilla Firefox browser and an integer overflow in the Windows kernel to achieve an escalation of privileges and earn $120,000 over two days of competition.

Two entrants managed to separately pull off exploits of the Apple Safari browser. The first used a JIT optimization bug in the browser and a macOS logic bug to escape the sandbox, and then a kernel overwrite to execute code with a kernel extension. The other combined a heap buffer underflow in Safari and an uninitialized stack variable in macOS to enable a sandbox escape and code execution.

Another entrant exploited an out-of-bounds read and a time of check-time of use bug in Oracle VirtualBox.

During the competition, each contestant was given three chances to demonstrate their exploits within a 30-minute window. In addition to the bugs that were successfully exploited, ZDI reports there were several more uncovered in failed and withdrawn attempts. Affected vendors have been given 90 days to produce security patches for the reported bugs.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.